Deprecate the "tkey-gssapi-credential" statement

The "tkey-gssapi-keytab" statement enables GSS-TSIG to be set up in a
simpler and more reliable way than using the "tkey-gssapi-credential"
statement and setting environment variables (e.g. KRB5_KTNAME).

Mark the "tkey-gssapi-credential" statement as deprecated to eventually
only have one method for setting up GSS-TSIG in named.  Do not mention
"tkey-gssapi-credential" in the section of the ARM on dynamic updates.

(cherry picked from commit 6de435c5285b7b87321064752aab3e3178d9448f)

diff --git a/doc/arm/advanced.inc.rst b/doc/arm/advanced.inc.rst
index 5ebb6a3dc9c316256b37178d26448bf9657aabfa..34665fc444cbcb364b4cc07e5ea4c3b1b5ee590e 100644 (file)
--- a/doc/arm/advanced.inc.rst
+++ b/doc/arm/advanced.inc.rst
@@ -31,11 +31,10 @@ are permitted for the key ``local-ddns``, which is generated by
 :iscman:`named` at startup. See :ref:`dynamic_update_policies` for more details.
 
 Dynamic updates using Kerberos-signed requests can be made using the
-TKEY/GSS protocol, either by setting the :any:`tkey-gssapi-keytab` option
-or by setting both the :any:`tkey-gssapi-credential` and
-:any:`tkey-domain` options. Once enabled, Kerberos-signed requests are
-matched against the update policies for the zone, using the Kerberos
-principal as the signer for the request.
+TKEY/GSS protocol, by setting the :any:`tkey-gssapi-keytab` option.
+Once enabled, Kerberos-signed requests are matched against the update
+policies for the zone, using the Kerberos principal as the signer for
+the request.
 
 Updating of secure zones (zones using DNSSEC) follows :rfc:`3007`: RRSIG,
 NSEC, and NSEC3 records affected by updates are automatically regenerated

diff --git a/doc/misc/options b/doc/misc/options
index f8fdec6859271641bcaea9dfb7daf1899e998d8d..fb0bf6563a98521382974968dc2cd6ce17213053 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -300,7 +300,7 @@ options {
        tcp-send-buffer <integer>;
        tkey-dhkey <quoted_string> <integer>; // deprecated
        tkey-domain <quoted_string>;
-       tkey-gssapi-credential <quoted_string>;
+       tkey-gssapi-credential <quoted_string>; // deprecated
        tkey-gssapi-keytab <quoted_string>;
        tls-port <integer>;
        transfer-format ( many-answers | one-answer );

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 0c8bcb6c202e5e8c909a13387102ca43c40491aa..e2fc05677ca99be9de06ecedae5e401fef57e90e 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1340,7 +1340,8 @@ static cfg_clausedef_t options_clauses[] = {
        { "tcp-send-buffer", &cfg_type_uint32, 0 },
        { "tkey-dhkey", &cfg_type_tkey_dhkey, CFG_CLAUSEFLAG_DEPRECATED },
        { "tkey-domain", &cfg_type_qstring, 0 },
-       { "tkey-gssapi-credential", &cfg_type_qstring, 0 },
+       { "tkey-gssapi-credential", &cfg_type_qstring,
+         CFG_CLAUSEFLAG_DEPRECATED },
        { "tkey-gssapi-keytab", &cfg_type_qstring, 0 },
        { "transfer-message-size", &cfg_type_uint32, 0 },
        { "transfers-in", &cfg_type_uint32, 0 },